Advisories for Gem/Ruby-Saml package

2024

SAML authentication bypass via Incorrect XPath selector

Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability was reported by ahacker1 of SecureSAML (ahacker1@securesaml.com)

2023
2019

Authentication bypass via incorrect DOM traversal and canonicalization

Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message. A …

2017

XML signature wrapping attack

The package ruby-saml is vulnerable to an XML signature wrapping attack in the specific scenario where there was a signature that referenced two elements at the same time (but past the scheme validator process since 1 of the element was inside the encrypted assertion).

2015

Arbitrary code execution

The gem contains a flaw that is triggered as the URI value of a SAML response is not properly sanitized through a prepared statement. This may allow a remote attacker to execute arbitrary shell commands on the host machine.